Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenEMR — Vulnerabilities & Security Advisories 120

Browse all 120 CVE security advisories affecting OpenEMR. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenEMR is an open-source electronic health record and medical practice management application designed to facilitate patient data management and clinical workflows. Historically, its codebase has exhibited significant security flaws, with over 120 Common Vulnerabilities and Exposures (CVEs) recorded. These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and improper access controls within the PHP-based architecture. Notable incidents include critical flaws allowing unauthenticated attackers to execute arbitrary commands or bypass authentication mechanisms, exposing sensitive patient information. The high volume of historical CVEs reflects challenges in maintaining rigorous security standards across a large, community-driven codebase. While recent updates have addressed many issues, the application’s complexity and extensive feature set continue to present attack surfaces that require diligent patching and configuration hardening to mitigate risks associated with data breaches and unauthorized system access.

Top products by OpenEMR: OpenEMR openemr/openemr
CVE IDTitleCVSSSeverityPublished
CVE-2026-34056 OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data — openemrCWE-285 7.7 High2026-03-25
CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification — openemrCWE-639 8.1 High2026-03-25
CVE-2026-34053 OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler — openemrCWE-862 7.1 High2026-03-25
CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup — openemrCWE-285 5.4 Medium2026-03-25
CVE-2026-33934 OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures — openemrCWE-639 4.3 Medium2026-03-25
CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor — openemrCWE-79 6.1 Medium2026-03-25
CVE-2026-33932 OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes — openemrCWE-79 7.6 High2026-03-25
CVE-2026-33931 OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access — openemrCWE-639 6.5 Medium2026-03-25
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint — openemrCWE-862 7.6 High2026-03-25
CVE-2026-33917 OpenEMR has SQL Injection in CAMOS Form — openemrCWE-89 8.8 High2026-03-25
CVE-2026-33915 OpenEMR Missing ACL Checks on Insurance Company API Routes — openemrCWE-862 5.4 Medium2026-03-25
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete — openemrCWE-89 7.2 High2026-03-25
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files — openemrCWE-611 7.7 High2026-03-25
CVE-2026-33912 OpenEMR has reflected XSS in ajax_download.php via reportID parameter — openemrCWE-79 5.4 Medium2026-03-25
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter — openemrCWE-79 5.4 Medium2026-03-25
CVE-2026-33910 OpenEMR has a SQL Injection Vulnerability in patient selection — openemrCWE-89 7.2 High2026-03-25
CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing — openemrCWE-89 5.9 Medium2026-03-25
CVE-2026-33348 OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3 — openemrCWE-79 8.7 High2026-03-25
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save — openemrCWE-639 6.5 Medium2026-03-25
CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php — openemrCWE-89 8.1 High2026-03-25
CVE-2026-33346 OpenEMR has stored XSS in portal_payment.php via Unescaped table_args — openemrCWE-79 8.7 High2026-03-19
CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor — openemrCWE-696 5.4 Medium2026-03-19
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log — openemrCWE-639 6.5 Medium2026-03-19
CVE-2026-33303 OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print View — openemrCWE-79 5.4 Medium2026-03-19
CVE-2026-33302 OpenEMR: zhAclCheck Ignores Explicit ACL Denies — openemrCWE-863 7.6 -2026-03-19
CVE-2026-33321 OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF) — openemrCWE-918 7.6 -2026-03-19
CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator — openemrCWE-116 3.5 -2026-03-19
CVE-2026-33299 OpenEMR has Stored XSS in patient encounter Eye Exam form answers — openemrCWE-79 5.4 -2026-03-19
CVE-2026-32119 OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page — openemrCWE-79 4.4 Medium2026-03-19
CVE-2026-32238 OpenEMR has Remote Code Execution in backup functionality — openemrCWE-78 9.1 Critical2026-03-19

This page lists every published CVE security advisory associated with OpenEMR. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.